Complete Jitsi JWT Moderated Meetings guide

In this guide we’ll setup and configure Jitsi together with JWT authentication, and moderated meetings to be able to host video conferences for several hundreds (thousands depending on your server) of users, with the capability to host webinars.

The last couple of years has been very productive in the open source area. More and more companies decided to go open-source, and with that many great new open-sourced (and free) options are available for both your company and private life day-to-day. One of those services are Jitsi – one of the best (if not the best) video conference software. A big bonus is that it’s free to use, and you can even run it on your own server! If you care about privacy and your integrity, Jitsi is something for you. Eager to begin? Well, let’s do it!

Install Jitsi

First of all, you need to install the Jitsi “base”. It’s super easy since the developers made the configuring of the packages very straight forward. We won’t reinvent the wheel here, so take a look at their own guide.

We’ll install Jitsi on Ubuntu 22.04 (minimal) and here’s a short summation of the steps. You can also use our install script which will do everything for you automatically. The script is still WIP as of 2023-03-08.

Dependecies

sudo apt-get update && sudo apt-get install lshw net-tools apt-utils gnupg2 nginx-full apt-transport-https ufw -y

Prosody repository

curl -sL https://prosody.im/files/prosody-debian-packages.key | sudo tee /etc/apt/keyrings/prosody-debian-packages.key
echo "deb [signed-by=/etc/apt/keyrings/prosody-debian-packages.key] http://packages.prosody.im/debian $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/prosody-debian-packages.list

Jitsi repository

curl -sL https://download.jitsi.org/jitsi-key.gpg.key | gpg --dearmor | sudo tee /usr/share/keyrings/jitsi-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/jitsi-keyring.gpg] https://download.jitsi.org stable/" | sudo tee /etc/apt/sources.list.d/jitsi-stable.list

More dependencies

sudo apt-get update && sudo apt-get install lua5.2 -y

Add UFW allow rules

This step is optional since you can control this in your gateway, and all the services that needs to be opened are automatically opened by Ubuntu. But, just to make sure, it could be a good idea to add this.

ufw allow 80/tcp
ufw allow 443/tcp
ufw allow 10000/udp
ufw allow 22/tcp
ufw allow 3478/udp
ufw allow 5349/tcp
ufw --force enable
ufw status verbose

Kernel tuning

sed -i "s|.*DefaultLimitNOFILE=.*|DefaultLimitNOFILE=65000|g" /etc/systemd/system.conf
sed -i "s|.*DefaultLimitNPROC=.*|DefaultLimitNPROC=65000|g" /etc/systemd/system.conf
sed -i "s|.*DefaultTasksMax=.*|DefaultTasksMax=65000|g" /etc/systemd/system.conf

Install Jitsi-meet

apt-get install jitsi-meet

The recommended option here is to use Let’s Encrypt for TLS, and to be able to obtain a certificate you need 2 things:
1. A domain i.e. jitsi.yourdomain.com
2. Port 80/443 to be opened in your firewall/gateway

JWT authentication

Install and setup jitsi-meet-tokens

sudo apt install jitsi-meet-tokens

During the setup you will be asked to add your ID and SECRET. This could be anything, like a super long password i.e; 6TBGBuMaX8CpMtjqL53RgaqFCYSfhP2jR5RHDZLrQFzYBcPyG8. Remember, ID and SECRET should be different! Do not use our example password, create your own and save them in a secured place.

Disable auto-owner

hocon -f /etc/jitsi/jicofo/jicofo.conf \
    set jicofo.conference.enable-auto-owner false

You may test your tokens on jitok, or jwt.io.

{
"aud": "jitsi",
"iss": "your token ID goes here",
"sub": "jitsi.yourdomain.com",
"room": "*",
"context": {
"user": {
    }
  }
}

Enable tokens

Change

allow_empty_token = true;

in

/etc/prosody/conf.d/jitsi.yourdomain.com.cfg.lua

And restart your services

systemctl restart prosody.service
systemctl restart jicofo.service

Moderated meetings

.env Config Microservice

Generating keypair can be done through openssl:

openssl genrsa -out keypair.pem 2048

openssl rsa -in keypair.pem -pubout -out publickey.pem

openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt -in keypair.pem -out moderated.der

Get the private_key_id for the .env file through this command

echo -n [NAME_OF_PRIVATE_KEY.der] | shasum -a 256

Change the publickey.pem name to the fetched private_key_id.

DEPLOYMENT_URL= url to the jitsi meet instance ex. https://jitsi.yourdomain.com/ (ending with a /)
PORT= Port for the microservice
PRIVATE_KEY_FILE= ex. path/to/key/moderated.der
PRIVATE_KEY_ID= for this instance it would be
'3c582c2fd86242e0a3655642607d548b5c271d4e1fe21ee7aa548438b3858640' as explained above
TARGET_TENANT= Tenant of your choice ex. moderated

Key Server

Next you’ll need to be able to serve the public key to the Jitsi instance. If you do not have a dedicated server for serving files, you could just set up a simple python http.server to test it out before creating a permanent solution.

Create a new folder and add the public key to it.

python3 -m http.server [PORT]

Jitsi Meet Config

Add the following global variables in the top section of /etc/prosody/conf.d/jitsi.yourdomain.com.cfg.lua either set this to * or specify the accepted issuer and audiences for the instance:

…
asap_accepted_issuers = {"*"};
asap_accepted_audiences = {"*"};
…

Then go to the VirtualHost section and add/make sure the following is enabled:

VirtualHost "[jitsi.yourdomain.com]"
…
authentication = "token";
app_id=[SPECIFIED ON JITSI-MEET-TOKENS INSTALL];
asap_key_server=[URL_TO_KEY_SERVER];
allow_empty_token = true;

Don’t forget to comment out the app-secret section like this since we now are using public keys

-- app_secret="super-secret-string"

Modify the conference.[jitsi.yourdomain.com] component. Add muc_allowners to modules_enabled and set the allowners_moderated_subdomains to the target tenant you specified during the microservice setup.

Component "conference.[jitsi.yourdomain.com]" "muc"
…
modules_enabled = {
"muc_allowners";
…
}
allowners_moderated_subdomains = { "moderated" }
…

sudo systemctl restart prosody && sudo systemctl restart jicofo && sudo systemctl restart jitsi-videobridge2

Download moderated meetings

git clone https://github.com/jitsi/moderated-meetings.git

Run the service

npm run build && source .env && mvn spring-boot:run

Do you need help?

Now you should have Jitsi with JWT authentication and moderated meetings setup! If you need help, or are looking for someone that can host this for you, please contact Redpill Linpro – experts in Jitsi.